Dear Principal and School Leadership Team,
Cyberattacks involving data breaches are taking place at an increasingly alarming rate in Irish schools. These cyberattacks, which can occur at any time, day or night, weekend or during school holidays, have targeted school servers, school data backup systems, school administration systems, payment systems, as well as Microsoft 365 and Google Workspace for Education. In such attacks IT systems and computing devices have been infected, disabled, encrypted and rendered unusable. School systems and staff/pupil computing devices have had to be erased and all software re-installed, to ensure devices no longer contained malware. Where schools didn’t have high quality separate data backup system in place, important school data was lost, with little possibility of data recovery.
Where cyberattacks have accessed school IT systems, this can allow access to private school data, including staff and pupil personal data, and other confidential data.
Cyberattacks now use the latest AI enabled techniques to access school systems, steal school login details and data, which is typically sold onto other cybercriminals on the dark web.
Also cyberattacks can infiltrate and impersonate school accounts to make unauthorised payments from a school bank account to a cyber-attackers own external bank account.
If your school suffers a cyberattack, it could have a severe negative impact on your school IT systems, staff and pupil data, and it could take weeks or months to fully restore your IT systems.
Concerningly, while school leadership teams are generally aware of these risks, some have yet to prioritise taking critical preventative measures.
Failing to take urgent preventative actions could leave your school at a high risk of cyberattack and in a highly vulnerable situation.
Schools need to urgently review and take action in the following key areas:
1. Schools should urgently work with their IT provider to carry out a school cybersecurity review, in the following areas.
2. Unless your school has a high quality Data Backup and Recovery system in place, your school data is at serious risk of being lost or stolen, resulting in a data breach. Also please note that Microsoft 365 and Google Workspace for Education platforms don’t guarantee that your school data is backed up. At a minimum the school leadership team accounts and other important school accounts should have their data backed up to a separate high quality third party cloud data-backup service, on a daily basis.
3. As school servers are often targeted by ransomware and cyberattacks they should no longer be in place in schools. Despite what your IT provider may advise you, there is no longer a need for a server in a school to manage storage, DHCP or printers. To eliminate this cybersecurity risk, where servers are currently in place they should be disconnected from the school network as soon as possible. Then any important data should be copied from the server and the server powered off.
4. School Firewalls, if they are correctly configured, are designed to reduce the risk of cyberattacks, however if your firewall is poorly configured, it’s like leaving your home front door unlocked. It is critical to regularly review firewall rules and test that they work. For example if school management or external IT providers can remotely access school systems for IT support or to access security cameras, cyber-attackers may also be able to use this approach to access you school network and IT systems, unless appropriate firewall controls are in place.
5. System administrator accounts are the most critical accounts in protecting school data and as such are frequently targeted in cyberattacks. To reduce the risk school IT System Administrators need to have two totally separate accounts, with different passwords, one for their role as system administrator (eg., mailto:sysadmin@schoolxx.ie ) and a separate standard account for their named account (eg., mailto:john.murphy@schoolxx.ie). This will help protect system administration accounts. No member of your school should be using a ‘global admin’ or ‘super admin’ account for routine, email communications. Typical staff members that are using such system admin accounts include principals, deputy principals, IT coordinators, and external IT providers granted access for specific purposes. To reduce risk the number of system administration accounts should be kept to a minimum, ideally no more than two per school.
6. Two factor Authentication (2FA) should be enforced for all system administrators, for all school IT systems and for all staff accounts.
7. Schools using Microsoft 365 ideally need to have a minimum of A3 licensing in place, as it includes important security features (compared to A1 licencing). A3 licences needs to be correctly configured to protect your Microsoft 365 system. Correctly configured A3 licencing, including Microsoft Defender for Endpoints, is recommended as an alternative to using traditional antivirus software on devices.
8. Every computing device (desktop, laptop, tablet and mobiles) that connects to the school network should be seen as a ‘potential’ cyberthreat to the school. This is because any staff or pupil computing device can become infected with malware and can in turn infect other devices on the school network. To reduce the risk of attacks all computing devices should ideally be ‘managed’ devices. These are devices that are loaded with a known set of ‘approved’ software. No other ‘unapproved’ software is allowed to be added to these managed devices. If additional software is required to be added to managed devices, there needs to be an agreed process whereby this takes place. In effect managed devices are ‘locked down’ and controlled. If a school policy allows ‘unmanaged’ devices, such a personal laptops, onto a school network, there is a significant risk that unapproved software or malware on these devices may put the entire school at greater risk of cyberattack. So to help prevent such situations, schools need to review their policy in relation to allowing unmanaged, personal or BYOD computing devices within the school.
9. In addition to the points referred to here, other priority areas that need to be reviewed on an ongoing basis by schools are outlined in Oide Technology in Education’s Cybersecurity Guidance and Supports for Schools, which is available at: https://www.oidetechnologyineducation.ie/technology-infrastructure/data-security/ . It is critical that all schools have a Cybersecurity Policy in place. A template policy document, developed specifically for schools, is available at this link, which covers the following key areas:
1. Controlling access to key systems and data
2. School network/WiFi security, other systems
3. Software and application security updates
4. Protecting computing devices
5. Data backups and recovery
6. Incident response and recovery
7. Cybersecurity awareness and training
